Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

What's the best practice for sharing videos hosted on Amazon S3 using presigned URLs?

0

We're considering using presigned URLs to share videos hosted on Amazon S3. What's the best way to do that while still securely managing the endpoints?

There are two use cases that present a potential security problem for us:

  • If the user is streaming a video, the video starts off with an incomplete byte-range request of 0- to download the whole file. Then, if the user jumps ahead in the video, and the client hasn't yet received the bytes for that part of the file, another request to the same URL with a byte range starting from the part of the video the user has jumped to.
  • If a download is paused halfway through the download natively in the browser and the user resumes the download after the initial request has expired, another byte-range request for the remainder of the content will be made.

To support either of these use cases with a presigned URL, we'd need to keep the signing valid for the duration of the download, which is a concern from a security perspective.

Is there a best practice for handling this?

Argomenti
Archiviazione
Tag
Servizio di archiviazione semplice di Amazon
Lingua
English
AWS
Paul_A
posta 7 anni fa1158 visualizzazioni
1 Risposta
0
Risposta accettata

Consider using Amazon CloudFront, which has enhanced singed URL features like custom policies. You can use the custom policies to restrict access to only the source IP address or address range, allowing you to more securely set a longer duration before the signed URL expires.

For more information, see Creating a signed URL using a custom policy in the Amazon CloudFront developer guide.

Note: Creating a signed URL using a custom policy in Amazon CloudFront is also great way to manage formats such as HLS/HDS because you can use wildcard characters.

profile pictureAWS
ESPERTO
Evgeny-At-AWS
con risposta 7 anni fa
profile picture
ESPERTO
Sedat Salman
verificato un anno fa
  • AWS-User-6244055
    2 anni fa

    Is there a way to use a custom policy to sign the hls url in CloudFront and only sign the initial cloudfront url and not each individual underlying url in s3?

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente